We got a curious "bounce" message from someone using a McAfee WebShield appliance to scan for viruses. The original was a typical MyDoom email.

What's odd is that the reject message looks as though it was sent from us to them, yet it clearly was traveling the opposite direction since it's sitting in our spam box. Return-Path: <antivirus@them.com>
Delivered-To: joe@us.com
Received: from wsip-68-15-53-98.ri.ri.cox.net(68.15.53.98) by webshielde250.them.com via csmap
id 926e3bde_50ce_11d8_8d30_0002b3c89bef_15571;
Tue, 27 Jan 2004 13:41:56 +0000 (UTC)
From: joe@us.com
To: bob@them.com
Subject: Returned due to virus; was:hello
Date: Tue, 27 Jan 2004 13:31:17 -0500
I've trimmed it down to just the essential headers and changed names to protect the innocent, but that's the original Received line. Why would the bounce have originated at some guy's cable modem if the WebShield appliance blocked the virus at the gateway? The Return-Path isn't empty like you'd expect, either.

Is this some quirk in the way WebShield assembles bounce messages, or is something else going on here? There's no virus attached, so I have no reason to believe MyDoom is spoofing McAfee.

:confused: Randall

We are seeing more and more "client side" bounce type tools that try to make a "fake" bounce message with a somewhat genuine appearance. This one that you've shared reminds me somewhat of the "fake" bounces generated by the MailWasher utility. Not sure WHAT exactly is generating this "returned" message, but it does appear to be something on the end user's machine (esp. due to the cable host/IP in the Received line).

Hmmm. I wonder if this WebShield "appliance" depends on client-side software to some extent?

Still wouldn't explain why it seemed to be coming from us instead of them -- unless it's a gimmick to get past spam filters.

Weird.

Randall